Is it almost prohibited to downgrade recent Anki security updates by add-on?

Background: The add-on “Searching, PDF Reading & Note-Taking in Add Dialog” stopped working in the latest Anki 25.04 ~ 25.07, so I am trying to fork it and fix it. This add-on is for creating notes from PDFs inside the Editor, and is popular because it used to have 200+ ratings. Development by the original author (fonol, Tom Z) is discontinued around 2022. (The add-on page has been removed and the Github repository is archived)

So far the fix of add-ons broken by the Anki security update is going very well and there have been very few problems (Probably the solution by Glutanimate is working), the IPA add-ons notified in Anki’s release have already been fixed and other broken add-ons can be fixed or replaced.

However the code for Search PDF is complex, functions for searching PDFs and notes, ebooks, pomodoro timers, etc. are all embedded in the Editor. It generates HTML and Javascript in Python and onclick has 500+ uses, so I already know how to fix it but codes are complicated and it takes time to check the operation and cannot be immediately fixed. (I think it is repairable in the long run.)

For now a practical workaround is to monkey-patch “aqt.mediasrv.legacy_page_data” and downgrade to the older version. (e.g. Monkey patch downgraded security version of add-on released (warn users) → gradually replace JavaScript in SearchPDF → make sure it works → release version with security restored)

But I thought that the development of such an add-on that downgrades security might be prohibited by the official Anki or the development community in the first place. (I think basically add-ons can be developed freely but add-ons uploaded to AnkiWeb will be governed by Anki’s terms of service, etc.) Is downgrading recent security updates with add-ons prohibited or very strongly discouraged?

Personal opinion: I don’t like the sound of the idea of patching security fixes to make complex add-ons work. Maybe it’s worth taking a slow approach here? I mean, the add-on has been broken for a while, as far as I know.
Additionally, I can’t help but note that the add-on will probably require even bigger changes soon after #4029 is finalized. That PR will also make the security fix more important, as the editor will have wider access to the internal API.

3 Likes

Hmmm well, it may be dangerous in the future if there are more add-ons that use security patches. I’ll release a placeholder for this add-on that excludes patches and develop it slowly.

2 Likes

I think this addon looks like the one I made recently, if you want to test it.

watch the video, there is no sound, but I think you can understand it.

https://ankiweb.net/shared/info/16097657

1 Like

It seems to me that the basic structure is similar. For now this add-on is too multifunctional and broken so it might be easier to maintain it by reducing functions as much as possible and replacing it with a simple add-on.

It would be irresponsible to patch out security fixes without the user’s knowledge, but if you’re presenting a big scary warning they can’t miss or misunderstand, it’s probably not much more harmful than recommending users run an old Anki version to use the add-on, which many authors already do without much thought to such things.

The good news at least is that with most users being protected, there’s a much-reduced incentive for someone to try and abuse the holes that were patched up, as they’ll have limited reach.

1 Like

I almost completed all the fixes for this add-on, so the monkey patch for security is no longer needed, thanks.

I built and tested it and found that some hooks were broken but all were resolved (complete support is not yet available but maybe after the release I’ll be able to adjust it), so no major problems. The new editor has a more stylish design and code, so I think it seems to be better.

2 Likes